2

What is a best way to securely pass the password into Postgres SQL script to create DB ROLE?

Improve this question

1 Answer 1

Reset to default
9

During the developing of the automated Postgres schema deployment I tried to find the way securely create the dbuser password, pass it to the deployment script and store it in secret manager, doesn't matter which.

The hardest part was passing and usage of the environment variable in the SQL script. The way I found seem good and pretty secure.

Password generated using openssl:

export ROLE_PASSWORD=$(openssl rand -base64 12)

The psql command as follow:

psql -v password_to_save=$ROLE_PASSWORD -a -h localhost -d postgres -U postgres -f test.sql

The SQL script:

\set ON_ERROR_STOP on
-- \echo :password_to_save

CREATE ROLE dbuser WITH
    LOGIN
    NOSUPERUSER
    NOCREATEDB
    NOCREATEROLE
    NOINHERIT
    NOREPLICATION
    CONNECTION LIMIT -1
    PASSWORD :'password_to_save';

As a result the password secured all the way to the implementation.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.